Introduction

In a continuing tough economic climate, companies are looking for ways to save money. Productivity applications (word processing, spreadsheet, presentation etc.) have traditionally taken a significant chunk out of software budget. Now free or low cost alternatives such as Google Apps and Microsoft's new Office Web Apps 2010 are looking attractive - but what are the drawbacks? Are these "cloud applications" the future of business? Do they present risks that are unacceptable for security-focused companies? In this two-part article, we'll take a look at web apps from a security point of view.

The Evolution of the Web

The Internet has been around (first in the form of ARPANET) since the 1960s, but the World Wide Web is not nearly as old. The Web was the brainchild of Tim Berners-Lee at CERN, who came up with the idea in the early 1980s but wasn't able to get the resources to get it off the ground until the 1990s. The first web pages were simple HTML coded text and the early hypertext browsers, such as Lynx, didn't support graphics, scripting, animation and the like. It was all about the links.

Graphical web browsers (particularly Mosiac) led to the first big step in the Web's evolution. Web pages could display images, including animated gifs. With scripting, Java, ActiveX and other such technologies, web developers were able to build sites that went far beyond merely presenting information. Users could interact with the sites, and e-commerce, e-banking and other forms of electronic transactions were born.

Web 2.0 is a term often attributed to publisher Tim O'Reilly, who popularized the concept in 2004 when his company began hosting an annual Web 2.0 conference. The name was actually coined in 1999 by Darcy DiNucci. Regardless of the origin of the name, the Web 2.0 ideas and technologies ushered in the era of social networking and communities driven by user-created content. An important part of O'Reilly's vision of Web 2.0 was the Web as a platform where applications are accessed via a web browser and run as services rather than traditional software applications.

Today, technologies such as Javascript, XML/Ajax, Flash/Flex, Silverlight, etc. can be used to create sophisticated applications that run "in the cloud" and are delivered via web browser. The advantage is that these applications don't have to be installed on the client computers and can be accessed from anywhere - a factor that's important in a business environment that is increasingly mobile.

Web Applications Today

The model of delivering applications over the Internet is not new. It was marketed in the early 2000s as ASP (Application Service Provider) and then again a few years later as SaaS (Software as a Service). Although it found some customers, it never really caught on as the providers hoped. There was a great deal of resistance in some quarters to the idea of outsourcing IT in this way, and concerns about reliability and security. But the idea won't die; it's been renamed "The Cloud" Google has led the way in the consumer/small business space and now Microsoft is, according to CEO Steve Ballmer, "all in".

With fast, low-cost, fairly reliable Internet connectivity more widely available to both consumers and businesses in the form of cable, DSL and fiber optic (FiOS, U-Verse), it might seem that the time has come to dump traditional productivity software and do it all online. The availability of free or low cost offerings such as Google Apps and Microsoft Web Apps, combined with an economy that has most companies still operating on tight budgets, makes this option even more attractive.

Google Apps for Business Standard Edition includes Gmail, Google calendar, Google Docs (word processing, spreadsheets and presentations) and Google Sites (for creating collaborative web pages for team projects), with up to 50 user accounts. There is also a Premier version ($50 per user/year) that adds Google Video and Google Groups, 25GB email storage per user, Blackberry and Outlook interoperability, Single Sign-on, forced SSL, custom password strength requirements and more business features.

Microsoft Web Apps provides online versions of Word, Excel, PowerPoint and OneNote, compatible with mobile devices (Windows Mobile, iPhone, Blackberry and others). It's fully integrated with the desktop version of Office 2010 and with Windows Live SkyDrive. Businesses that have volume licensing agreements for Office 2010 can run Office Web Apps on-premises on a SharePoint server. Microsoft also offers Business Productivity Online Standard Suite (BPOS), with online versions of Exchange, SharePoint, Office Live Meeting and Office Communications, priced at $10 per user/month.

In part one of this article, we'll look at Google Apps. In part two, we'll take a look at Microsoft's Office Web Apps and BPOS. There are many reviews and comparisons of these services' features and functionality available on the web, but we will only be addressing the security issues associated with each service and with web-based productivity applications in general.

Google Apps Security Issues

Google touts their full-time security team that's part of the Software Engineering and Operations organization, which develops security review processes, builds the security infrastructure and plays a major part in creating and implementing security policies. Google Apps relies on a distributed environment and distributed file system to locate customer data across multiple datacenters. They have produced a white paper that addresses the security of Google Apps products.

The paper says "Data chunks are given random file names and are not stored in clear text so they are not humanly readable." An authentication broker uses x509 certificate-based trusts to require that requests between the components of the system are authenticated and authorized. Secure Shell (SSH) connections are required for administrative access. All administrative access to user data is logged. The documentation states that the logs are "reviewable on an as-needed basis." That would seem to indicate that all logs may not be routinely reviewed which would be a more secure (but more time-consuming and expensive) policy.

User Data

Google Apps data that is deleted by the user is made inaccessible from the user's interface and then pointers to the data are removed from the server. The data itself is, according to Google's documentation, "overwritten with other customer data over time." As with any deleted data that's not explicitly overwritten immediately, the data itself remains on the server and could be recovered through forensic procedures. Google's policies require that whenever a disk is disposed of, it must be erased and that "the erasure consists of a full write of the disk with all zeros, and a full read of the disk is done to ensure that the drive is blank".

A single overwrite with zeros is the quickest method for "erasing" a disk, but it's more secure to use a multiple pass method that overwrites with random characters. The single overwrite with zeros is sufficient for most purposes, but it is still possible to recover some data. Thus organizations that are especially concerned about security use the Schneier method (which uses seven passes) or the Gutmann method (which uses twenty-seven passes), both of which use random data. These, of course, take more time.

Physical Security and Personnel

A key concern for businesses considering putting some or all of their IT processes into the cloud is not knowing where the data is physically stored and who may have physical access to it. When your servers are on-premises, you can take steps to ensure that they are adequately protected from physical access, and you know exactly which of your employees have access and can hold them personally accountable.

Google does not, by policy, reveal to you the geographic location of your data. Under its terms of service, your data can be moved from one server to another. This could be a problem if there is ever an issue where legal jurisdiction comes into play. What we do know is that Google uses a multi-tenant platform. That means your data is not stored on a dedicated server; other companies' data is stored on the same server. This saves money and lowers the cost to the customer, but is less secure.

Google assures us that "Google employees are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards." They go on to describe how they perform reference checks and background investigations on potential employees and provide training in security and the company's code of conduct. Each employee has a unique user ID, which tracks the employee's access to customer data.

According to the documentation, physical security at all datacenters follows standard best practices such as electronic card-controlled access, alarms, monitored cameras and guards, with an approval and auditing policy for visitors.

All of these policies sound good; the key is how well they're adhered to and "who's watching the watchers." Basically, companies must trust that Google's hiring practices and security policies are sufficient to prevent errant employees from misusing their data. This is, of course, true of any cloud provider and not just Google. Anytime you outsource, you give up some measure of control over security.

Network Security

Another concern is for the security and integrity of the network on which cloud servers reside and how it is protected from malware and attackers. Google's security team is responsible for scanning for security threats and penetration testing, software security reviews and external audits are said to be performed regularly. They have an incident response team and staff members trained in forensics. "Industry standard firewall and ACL technology" protects the network perimeter. Servers run on a stripped down, hardened version of Linux, with "proprietary software" monitoring systems continuously for modifications to the standard image.

While the documentation outlines the basics of Google's network security strategy, there's not much specificity. We don't know what types of firewalls are used and where and how they're deployed. Of course, withholding that information makes sense from the security standpoint. You don't want to give away your positions to potential attackers. From the point of view of the company using Google Apps, it becomes another issue that must be taken on faith.

Customer Options

Customers do have some security options that they can directly use in managing their Google Apps:

The Premier, Education and Partner editions offer a single sign-on service (SSO) that can be integrated into LDAP or other SSO systems. That in turn makes it possible to use biometric, hardware tokens and other types of two factor authentication.

You can define password strength requirements.

You can reset users' sign-in cookies in case of loss or theft of a laptop or other portable device that's used to sign into Google Apps.

You can require all users in your domain to use HTTPS for encrypted communications between the Google servers and the end-users' computers.

You can require TLS for SMTP, for encrypted transfer of mail between specified domains, to protect sensitive communications.

Security Concerns

The City of Los Angeles recently made the decision to transition to Google Apps (replacing a Novell Groupwise email system and Microsoft Office applications). The company missed the deadline for completing the project due to security concerns raised by the L.A. Police Department.

Security concerns related to Google Apps are in large part based on concerns regarding the Web as a platform. Most malware is delivered via the Web and all web browsers are subject to vulnerabilities, as evidenced by the frequency of patches issued for them. Another major concern has to do with the fact that many different companies' data is stored on the same servers, which means the possibility of one customer being able to access another customer's data. These are big issues that have been raised regarding SaaS/cloud computing for years.

Other concerns are specific to Google; some customers are concerned that the company has demonstrated a disregard for privacy, as in the collection of data from unsecured Wi-Fi networks (which Google says was a mistake).

Summary

Google's stated policies regarding the security of customer data are good and they have a number of mechanisms in place for protecting that data. However, the methods they use may not always meet the standards of companies that need to send email or create documents dealing with extremely sensitive information (for example, the data deletion and disk disposal policies and methods). Some companies will also be put off by the lack of detail in some of their documentation of security protections and policies against revealing to you where your data physically resides. It all ultimately comes down to three questions: First, do you trust the Cloud for storage of your data and delivery of your applications? Do you trust the Web as a platform? Do you trust Google as a provider?

In the second part of this two-part article, we'll look at the security of Microsoft's Office Web Apps and BPOS offerings.

Featured Links

Deb Shinder

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Latest Podcast

Featured Freeware

Follow Us

TECHGENIX

TechGenix reaches millions of IT Professionals every month, and has set the standard for providing free technical content through its growing family of websites, empowering them with the answers and tools that are needed to set up, configure, maintain and enhance their networks.